Some of the biggest names in payments have endorsed encryption, with several vendors offering or testing systems that encode card data as soon as it hits the processing chain.
And though there is no standardized approach for delivering encryption capabilities, there is a growing consensus that it is becoming a crucial element of a security strategy.
"There's a major focus on improving payment security in the United States," said Robert O. Carr, the chairman and chief executive of Heartland Payment Systems Inc.
Carr emerged as an advocate of encryption last year after his company announced in January that it had discovered a serious breach of its systems.
He said the publicity surrounding the incident, as well as similar breaches that preceded it, have helped merchants understand the consequences of failing to protect data at all points.
To be sure, there are other methods of protecting card data, Carr said, but these alternatives may lack the legs or the scope that encryption has. For example, the EMV Integrated Circuit Card Specification, widely used abroad, has never caught on in the United States, he noted, and tokenization, the practice of replacing a real card number with a temporary proxy that acts to reference the actual account data, does not protect data when it is first captured.
"EMV is going to take years to become fully deployed, if and when the U.S. decides to deploy it," and "tokenization is not a complete solution in our view," Carr said. "Encryption is a solution that is available today."
A key driver is the Payment Card Industry data security standard for companies' treatment of card data.
It's important to note that while the PCI standard demands strict security for any systems that touch legible payment data, it is neutral on how this can be achieved.
However, many executives say that obfuscating data through encryption can go a long way toward complying with the standard.
The idea of using encryption to attain PCI compliance got a boost in October when Visa Inc. published a set of best practices explaining how merchants can make use of the technology. Visa has been the PCI standard's most vocal enforcer and has been an active participant in talks to develop an industrywide encryption standard, though these guidelines stopped short of recommending any single method or advocating mandatory use.
Eduardo Perez, Visa's global head of data security, said the guidelines have helped the industry embrace the technology.
"It was valuable to have those best practices for" merchants "to evaluate solutions they are considering," Perez said. "They want more specificity."
Those who champion encryption are trying to provide their own assurances. Heartland this month is launching its encryption system under the brand E3, with a guarantee: If a company using the system suffers a breach, Heartland promises to pay any penalties that might be assessed.
The Princeton, N.J., processor knows firsthand the consequences of not meeting the PCI requirements. It disclosed in January that it had suffered a severe data breach, and though it had passed six annual assessments before that, after the incident it paid millions in fines and settlements to the card brands.
Soon after the revelation, the company said the impact of the breach would have been much smaller if the data had been encrypted, and issued an industrywide call for broader use of encryption.
Steven M. Elefant, Heartland's chief information officer, said that when larger merchants run afoul of the PCI rules, they "can afford a fine," though of course they would prefer to avoid any fine. Smaller merchants face much more risk, he said, as the penalties assessed by the card brands are sometimes heavy enough to put them out of business.
Heartland is outspoken about wanting to spread encryption as far along the payment rails as possible. Elefant said the company is working with two of the four leading card brands to allow it to hand off data in an encrypted format and that it is in talks with the other two.
Elefant joined Heartland a year ago to help fast-track its encryption strategy. In the past six months the company has tested the E3 encryption system with a revolving group of 12 merchants. Aside from minor tweaks to the hardware, such as adjusting the volume when the machine beeps, the trial ran smoothly and the main goal was achieved: enabling businesses to accept card payments without giving them access to account data.
Merchants using E3 "don't see a card number and they don't have the ability to decrypt it," Elefant said.
He said this feature is especially compelling to smaller merchants, which the card companies categorize as Level Four. Unlike larger merchants, Level Four merchants often lack the expertise to perform detailed overhauls of their systems and would prefer a plug-and-play device to handle their security problems.
The biggest merchants, Level One, by contrast, may prefer to use encryption selectively. Large merchants "perform other functions aside from card payments that are on their network," and might perceive it as overkill to apply PCI-grade security to systems that have only fleeting contact with card data, Perez said.
For example, a large merchant with several franchise locations might want to encrypt the data until it gets to a secure central location, where the card details can be decrypted and properly routed.
Large corporate environments "are so complicated, and there's really, today, no way for a merchant to ensure complete security throughout their enterprise," said Paul Rasori, the senior vice president of global marketing for VeriFone Holdings Inc.
VeriFone, a terminal maker based in San Jose, has been pushing encryption for about two years and began offering its Verishield Protect system last year.
By selling terminals that encrypt data at the moment it is swiped, VeriFone guarantees that merchants have a way to secure the first endpoint: the moment when card data enters their system.
Encryption "goes beyond where PCI has left off," Rasori said. "We're actually protecting data at the root, at the inception."
Trying to address security solely through PCI compliance is impractical, since there are too many variables that make it difficult to keep system access secure, Rasori said.
"It's very, very difficult to maintain that level of security," he said. "Most of the data breaches that you hear about nowadays are from merchants that thought they were in compliance with all of the PCI guidelines. The problem is these systems change on a daily basis. You hire new employees, people don't follow procedures — most likely, it's inadvertent."
VeriFone is part of the Secure Point-of-Sale Vendor Alliance, as are two of its rivals, Ingenico SA and Hypercom Corp. The alliance was launched in April to promote a consistent security methodology.
Christopher Justice, Ingenico's president for North America, said the French company is changing its approach to encryption to allow encryption at the point where a card is swiped, which is what merchants now expect.
Ingenico's current model encrypts data as it leaves the terminal, which means a hacker still could intercept information between the time of the swipe and the time the data is encrypted, Justice said.
"What we're doing is moving the bar," he said. "We feel that the only real way to protect the data in flight is to go all the way out to the edge" — the point where it enters the payment system.
Ingenico plans to test the new equipment in February and, if all goes well, make it generally available in March. VeriFone's Rasori said that encrypting data as it enters the merchant's system is "the most foolproof way" to protect it.
In one case, VeriFone no longer gives merchants a choice. Its upcoming PAYware Mobile, a card-acceptance device that attaches to Apple Inc.'s iPhone, can only be bought with encryption capabilities switched on.
"The iPhone platform is not necessarily open, [but] it still is a very widely distributed developer kit," he said. Because so many amateur developers have the ability to write software for the device, "we didn't feel comfortable that we could properly control the security of that platform."
Encryption was seen as the answer. After the PAYware Mobile encrypts card data, the iPhone sends it off to be processed. Because the encryption is handled within the VeriFone hardware, it "essentially takes the iPhone and the network out of the security-critical path," Rasori said.
Ironically, encryption can make it easier for merchants to meet the spirit but not the letter of the PCI standard.
Avivah Litan, a vice president and distinguished analyst at Gartner Inc., a market research company in Stamford, Conn., said that Visa's efforts have addressed some merchant concerns but that the company and its peers should go further.
"It definitely helps to have the Visa guidelines," Litan said. "That makes retailers feel more comfortable."
But she said Visa's guidelines have no teeth, because such extensive encryption is not formally included within the PCI rules.
Merchants must submit to periodic security audits to verify that they meet the PCI standard, and in theory, encryption should make these evaluations easier.
However, there is no formal mechanism for auditors to note that a merchant's systems are protected through encryption, Litan said. The technology "doesn't officially reduce the scope of the audit."
As a result, "they're leaving way too much open to interpretation," Litan said. "If you've implemented end-to-end encryption, you'll have a simpler audit, but it's not a formally simpler audit."
Heartland and VeriFone both expect the majority of their customers to use some form of encryption within the next five years. (The companies are not working together toward this goal; in fact, they are engaged in a bitter legal fight over alleged violation of encryption patent rights and unfair business practices.)
Litan said there is a 30% chance that most merchants will be using encryption within that time frame, and explained her lower estimate by noting that encryption at the point of swipe is not explicitly mandated.
Nick Holland, a senior analyst at Aite Group LLC in Boston, said the vendors' projections are more realistic. Some merchants may choose encryption because they think it helps with PCI compliance, and "PCI compliance is a chore at best," he said. "It's something that companies are loath to do." To other merchants, "encryption is an insurance policy," Holland said. "Like any insurance policy, you need it for eventualities that might happen."
The trade in stolen card data "is an industry in its own right," he said, and hackers are constantly on the prowl to find new data. Merchants that encrypt their data as it is swiped are far less inviting as breach targets.
"Given that the U.S. isn't going to replace card technology anytime in the foreseeable future, any form of encryption is the best tool at the moment," Holland said.
